RFR: 8308144: HttpClient - uncontrolled memory consumption in SSLFlowDelegate.Reader

Jaikiran Pai jpai at openjdk.org
Mon Jul 24 06:30:48 UTC 2023


On Fri, 26 May 2023 09:17:41 GMT, zhurs <duke at openjdk.org> wrote:

>> When using HttpClient to make requests to HTTPS resources, there is an issue where the entire file is being downloaded into memory without the ability to limit the buffer size.
>> If the SSLEngine cannot decode the entire buffer due to the algorithm's blocking nature, it returns a decoded chunk of data and BUFFER_UNDERFLOW status, which leads to SSLFlowDelegate.Reader requesting more data despite the output queue being full.
>
> Thank you, I will look at these options.

Hello @zhurs, would you mind if one of us took over this PR and moved this forward? Daniel noted that the fix looks reasonable and it's the test which will need some work. We will add you as the co-author.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/14159#issuecomment-1647292115


More information about the security-dev mailing list